oss-sec mailing list archives
Re: Re: utf-8 security issue in php - 2 CVEs?
From: Pierre Joye <pierre.php () gmail com>
Date: Wed, 17 Nov 2010 16:50:59 +0100
On Wed, Nov 17, 2010 at 4:45 AM, Huzaifa Sidhpurwala <huzaifas () redhat com> wrote:
On 11/16/2010 08:40 PM, Pierre Joye wrote:hi, New fixes or improved fixes, even for known flaw, get new CVE #. I was not sure about that a couple of months ago, but that's the answer I got when I asked about the policy for such cases. I think it makes even more sense in this particular flaw.Right, However i am wondering why there is no mention of CVE-2009-5016 in the php NEWS file from the SVN. It only mentions: " - Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the number of reported malformed sequences). (CVE-2010-3870) (Gustavo) "
I only updated the NEWS for the upcoming release as the fix applies to this specific CVE. However I can add a ref to CVE-2009-5016 to the related NEWS entry (for the record, as it was released already), if you have found it :) -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- utf-8 security issue in php - 2 CVEs? Huzaifa Sidhpurwala (Nov 15)
- Re: utf-8 security issue in php - 2 CVEs? Pierre Joye (Nov 16)
- Re: Re: utf-8 security issue in php - 2 CVEs? Huzaifa Sidhpurwala (Nov 17)
- Re: Re: utf-8 security issue in php - 2 CVEs? Pierre Joye (Nov 17)
- Re: Re: utf-8 security issue in php - 2 CVEs? Huzaifa Sidhpurwala (Nov 17)
- Re: utf-8 security issue in php - 2 CVEs? Pierre Joye (Nov 16)